The Securities and Exchange Commission (SEC) has voted to implement new rules that will require publicly traded companies to disclose material cybersecurity attacks to the public. Under these rules, companies must assess whether a cyber attack they have experienced will have a significant impact on their operations and, if so, they must disclose the event within four days of making that determination. The disclosure should be made within four business days of determining the incident's materiality, with the possibility of a delay if it poses a significant risk to national security or public safety. Additionally, public companies will need to detail the processes they have in place to manage material risks arising from cybersecurity threats. Foreign private issuers are also required to make comparable disclosures.
Consistent and comparable cybersecurity disclosure
The objective of these rules is to provide consistent and comparable cybersecurity disclosure to benefit investors, companies, and the markets. The rules mandate registrants to report any material cybersecurity incident on Form 8-K, providing details about the incident's nature, scope, timing, and its impact on the company. The rules will become effective 30 days after being published in the Federal Register. Disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
The recent headlines regarding the new rules have centered around item 1.05, which imposes a mandate for reporting "material cyber incidents" within a strict timeline of four working days. While item 1.05 is undoubtedly a significant step towards unifying and structuring cyber incident reporting, the true power of these new rules lies in item 1.06, which seems to have been somewhat overlooked in initial press reporting.
Going beyond incident reporting
Item 1.06 goes beyond incident reporting and introduces a crucial requirement for annual attestation. This requires registrants to describe their processes for assessing, identifying, and managing material cybersecurity risks, as well as the effects of previous incidents. They must also disclose the board of directors' oversight of cybersecurity risks and management's expertise in handling these risks in their annual report on Form 10-K.
In essence, item 1.05 establishes the necessary actions companies must take when facing a cyber incident, while item 1.06 emphasizes what companies should be doing continuously to avoid finding themselves in "Item 1.05 situations." This move towards mandating annual reporting on an organization's "Information Security Context, Requirements, Objectives, and Scope" bears a strong resemblance to the principles found in ISO-27001, which is widely regarded as a robust information security management standard.
A positive development
These new SEC rules will undoubtedly compel organizations to reevaluate their approach to cyber risk management. They will serve to focus the minds of organizations around how they address cyber risk and ensure that focus extends to the most senior levels and most importantly ensure that this focus is maintained.
Implementing such practices is, in my view, a positive development.
In the realm of practicality, reality often interposes itself, disrupting even the most laudable and advantageous ideals. Such disruptions may equally apply to the newly introduced SEC regulations.
Numerous organizations who now find themselves within the scope of these reporting and governance mandates find themselves lacking a dedicated cyber governance function or discover their resources woefully misaligned to effectively meet the stipulated requirements. It is worth noting that mature Information Security governance is an ongoing process, rather than an instantaneous destination that can be effortlessly activated at a moment's notice.
Consequently, many organizations, mine included, have adopted an approach characterized by enhanced visibility and an iterative control system to meet these obligatory demands.
With this approach, we not only demonstrate evidence of risk-based controls but also ensure a perpetual optimization of these controls—a dynamic stride towards safeguarding our digital domains amidst a rapidly evolving landscape.
For Next, the Reveal platform is the cornerstone of this approach.
